Cisco CPO: Privacy Is Not About Secrecy or ComplianceMichelle Dennedy sat down with Dark Reading at the recent Cisco Live event to set the record straight about privacy, regulation, encryption, and more.
Before joining Cisco in 2015, Dennedy was vice president for security and privacy solutions at Oracle. Prior, she was chief data governance officer in the cloud computing division and chief privacy officer at Sun before it was acquired by Oracle.
At the just-concluded Cisco Live, in Orlando, Fla., Dennedy sat down with Dark Reading for an interview that ranged from the role privacy plays at the network hardware company to the way GDPR is having an impact on privacy, security, and the networking business. What follows is an edited version of our conversation.
Dark Reading: Tell us about the role of chief privacy officer at Cisco. Is your primary focus on Cisco's activities or Cisco's products?
Dennedy: Half of my role is making sure we are telling our story appropriately. There are a lot of countries that are still grappling with the way privacy laws are written, so I work with them to kind of geek out on how things actually work.
Other parts of my team are working on research. There's not enough research done yet on the financial modeling. How do we know when we're adding the right kinds of protections for privacy? How does that impact the business?
I have an economist and a financial MBA lawyer, a well-overeducated dude who comes up with metrics for me. I use the metrics to run our business better. I think we measured security by the pound until a couple of years ago. Now it just got so big that people couldn't comprehend a billion-person loss.
The other piece is privacy engineering, which is both public and private. I actually just stepped down as chair of IEEE 7002, where we ticked off a privacy engineering IEEE standards body section within the ethics engineering section. We're working on that as a standard to say, "How do you build an environment that is ethical and has privacy engineering?"
That's the external. The internal is training my own scrum masters in an agile environment. We train them on how to look at privacy functionality as a specification or requirement. In all, it's kind of an inside-outside, leftward-sideways, upside-down role.
Dark Reading: You talked about metrics for privacy. Are you saying there's more to privacy than simply walking down a regulatory checklist?
Dennedy: Absolutely, particularly for a company like Cisco. We have a tremendous responsibility, an ethical responsibility. A grand majority of the world's traffic, at some point, hits, touches, or is impacted by Cisco technology. We have the opportunity to make the world a safer place.
If I were to say, "I'm going to look at this fragmented, 125 privacy-jurisdiction world and try to hit compliance region by region just to get out of [regulatory trouble]," I would fail. So instead I say, "What is the outcome?"
The outcome is, how do you tell a story about a person with integrity and respect? That's what privacy is. It's not about secrecy. It's not about compliance. It's about telling human stories with respect.
How do I build that to delight our customers? That's the challenge. That's the race I'm in.
Dark Reading: For many people, data safety belongs under the security umbrella. How much do you work with security teams to try and relieve some of the tension between privacy and security?
Dennedy: I think when I first got into this in the 2000 aughts, it was "versus." I think nowadays we've gotten much closer. I'll put it in my own myopic way: I own the content inside the pipe. And [the CISO] looks for fit in the architecture of the pipe. The architecture may look beautiful, and it might be secure, and it may have been designed to be drip-free. But if you're putting the wrong content through, it doesn't work.
The way that this works really well is, you look at data as an asset. And just like any other kind of asset in your portfolio, you ask, "Where is the highest risk of loss?"
Where you find holes, and where you find weaknesses and vulnerabilities, that's where you prioritize security. That doesn't mean the rest is unsecured, but by having this yin and yang of content and architecture together, it's a much, much stronger network fabric."
Dark Reading: One of the most visible points where security and privacy are in tension is encryption. Privacy advocates want everything encrypted, while security advocates point out correctly that criminal traffic can hide in encryption as easily as legitimate confidential information. What do you think is the proper role of encryption in privacy?
Dennedy: Privacy advocates that want everything encrypted are not experts. They talk a lot, and they have lovely martinis, and I salute them all day long. But encryption is one of a panoply of protective measures, and if you are hiding away something just to hide it away, you're back in compliance land. Not everything needs to be encrypted to be private. Sometimes it starts much earlier in the process.
There's a terrific Ph.D. who I work with. His name is Dave McGrew, and he was the founder of the ETA [Encrypted Traffic Analysis] beast.
His idea was that encryption has a pattern like anything else. So when you see an encrypted flow of data, abnormally timed and sized encryption packets that are flowing through a network in an unexpected way create lumps.
You know what the pattern should look like, and you can imagine and intuit what you think that lump is. Now you have a much smaller subset to inspect. By doing that, we reach much more widely into the network to make sure that we're respecting everybody's security and privacy.
I think when you really look at the purpose and the objective of security tools, and the purpose and the objective of respectful storytelling, you get those things together, and there's so much more innovation that we can do instead of just saying, "Your encryption is pretty."
Dark Reading: Is there anything else you'd like to add that I haven't asked about?
Dennedy: We live in a multimodal, multiproblem-set world, and we try to solve all these multimodal problems with one set of players. If you set the lawyers free — and I'm a lawyer by training — they're going to come up with legalistic arguments. If you set the technologist free, it's the same story.
As advanced as we've become, with these new laws they're trying to keep up with technology, while technologists are finding different ways of being. I think we need more problem-solvers. I think we need a diverse mindset to come up with some solutions.
It's going be a fun world, but that's what we're looking at.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio